subject:"Automatic RRSIG Refresh in BIND 9.8.2"

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-07-12 Thread Tony Finch

Latitude  wrote:
>
> Should DNSSEC key signing keys and zone signing keys also be located in a
> directory inside the /dynamic directory? Would it be acceptable to have them
> in a directory such as /var/named/chroot/etc/keys/dnssec?

On my master server I have zone files and journals in a .../zone/
directory writable by named, and DNSSEC keys in a different .../key/
directory read-only for named, but writable by a semi-privileged user
that is responsible for key maintenance.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Shannon: Variable 3, becoming west 4 or 5. Moderate. Occasional drizzle.
Moderate or good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-06-16 Thread Petr Mensik

Hi,

I think you should use file "dynamic/db..signed"; instead. On Red 
Hat /var/named is by default read only to named. It is enforced both by unix 
permissions and SELinux policy. I think you are being blocked by selinux.

Try sudo ausearch -i -ts recent -m avc -m user_avc -m selinux_err
It may show you some errors that are named related.

For dynamic updates, directory /var/named/dynamic is prepared. Signature 
maintaining is processed like dynamic updates to the zone, so write access to 
the zone file and its .jnl is required. You can enable write there, check 
https://bugzilla.redhat.com/show_bug.cgi?id=545128

Regards,
Petr

--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemen...@redhat.com  PGP: 65C6C973


- Original Message -
From: "Latitude" <arlendelcasti...@gmail.com>
To: bind-users@lists.isc.org
Sent: Wednesday, June 14, 2017 11:11:05 PM
Subject: Re: Automatic RRSIG Refresh in BIND 9.8.2

Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2
handy but thank you for sending the link to your article and pointing me out
to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone
RRSIGs can refresh automatically. 

A zone that was signed with a sigvalidity period to be refreshed every 7
days is not being refreshed and I'm trying to troubleshoot. I've given the
zone statement the *auto-dnssec maintain;* and *update-policy local;*
statements as described, and I'm getting the error below repeatedly in my
/var/log/message feed:

*info: zone /IN: reconfiguring zone keys
.jnl: create: permission denied
named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone /IN:
zone_rekey:dns_journal_open -> unexpected error*

The user *named* has the rwx permissions on the directory containing the
source zone file and the DNSSEC-signed zone file .signed. This
installation is BIND chrooted so the absolute path is
*/var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in
this directory (*/var/named/chroot/var/named/*) and failing to due so? If
so, I don't see why it's having an issue because user:group ownership of the
/var/named/chroot/var/named directory is named:named and permissions are set
to 750 on it. I believe this could be the clue to why my zone RRSIG isn't
being refreshed. A lot of Google searching for this error hasn't yielded
anything to help my situation either. Thank you in advance for any input.

Below are my named.conf and zone statement file excerpts for reference:

named.conf file DNSSEC options:

// DNSSEC options
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM,
Chapter 6
key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC
keys

//Zone statement
zone "" { 
type master;
update-policy local; 
file "db..signed"; 
auto-dnssec maintain;
allow-query { any; }; 
allow-transfer { xfers; }; 
};




--
View this message in context: 
http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html
Sent from the Bind-Users forum mailing list archive at Nabble.com.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-06-14 Thread Mark Andrews


https://kb.isc.org/article/AA-00320/0/Why-cant-named-update-slave-zone-database-files-slave-journal-files-and-master-zones-from-journals-.html

In message <1497474665849-3948.p...@n4.nabble.com>, Latitude writes:
> Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2
> handy but thank you for sending the link to your article and pointing me out
> to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone
> RRSIGs can refresh automatically. 
> 
> A zone that was signed with a sigvalidity period to be refreshed every 7
> days is not being refreshed and I'm trying to troubleshoot. I've given the
> zone statement the *auto-dnssec maintain;* and *update-policy local;*
> statements as described, and I'm getting the error below repeatedly in my
> /var/log/message feed:
> 
> *info: zone /IN: reconfiguring zone keys
> .jnl: create: permission denied
> named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone /IN:
> zone_rekey:dns_journal_open -> unexpected error*
> 
> The user *named* has the rwx permissions on the directory containing the
> source zone file and the DNSSEC-signed zone file .signed. This
> installation is BIND chrooted so the absolute path is
> */var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in
> this directory (*/var/named/chroot/var/named/*) and failing to due so? If
> so, I don't see why it's having an issue because user:group ownership of the
> /var/named/chroot/var/named directory is named:named and permissions are set
> to 750 on it. I believe this could be the clue to why my zone RRSIG isn't
> being refreshed. A lot of Google searching for this error hasn't yielded
> anything to help my situation either. Thank you in advance for any input.
> 
> Below are my named.conf and zone statement file excerpts for reference:
> 
> named.conf file DNSSEC options:
> 
> // DNSSEC options
> dnssec-enable yes;
> dnssec-validation yes;
> dnssec-lookaside auto;
> sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM,
> Chapter 6
> key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC
> keys
> 
> //Zone statement
> zone "" { 
> type master;
> update-policy local; 
> file "db..signed"; 
> auto-dnssec maintain;
> allow-query { any; }; 
> allow-transfer { xfers; }; 
> };
> 
> 
> 
> 
> --
> View this message in context: 
> http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html
> Sent from the Bind-Users forum mailing list archive at Nabble.com.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-06-14 Thread Latitude

Thanks for your reply Tony. Great references. I've got the ARM for 9.8.2
handy but thank you for sending the link to your article and pointing me out
to Section 4.9.3 Fully Automatic Signing. It's been helpful to confirm zone
RRSIGs can refresh automatically.

A zone that was signed with a sigvalidity period to be refreshed every 7
days is not being refreshed and I'm trying to troubleshoot. I've given the
zone statement the *auto-dnssec maintain;* and *update-policy local;*
statements as described, and I'm getting the error below repeatedly in my
/var/log/message feed:

*info: zone /IN: reconfiguring zone keys
.jnl: create: permission denied
named[5952]: 14-Jun-2017 20:38:08.640 general: error: zone /IN:
zone_rekey:dns_journal_open -> unexpected error*

The user *named* has the rwx permissions on the directory containing the
source zone file and the DNSSEC-signed zone file .signed. This
installation is BIND chrooted so the absolute path is
*/var/named/chroot/var/named/*. Is BIND trying to create the .jnl file in
this directory (*/var/named/chroot/var/named/*) and failing to due so? If
so, I don't see why it's having an issue because user:group ownership of the
/var/named/chroot/var/named directory is named:named and permissions are set
to 750 on it. I believe this could be the clue to why my zone RRSIG isn't
being refreshed. A lot of Google searching for this error hasn't yielded
anything to help my situation either. Thank you in advance for any input.

Below are my named.conf and zone statement file excerpts for reference:

named.conf file DNSSEC options:

// DNSSEC options
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
sig-validity-interval 7 2; //RRSIG validity period, BIND 9 ARM,
Chapter 6
key-directory "/etc/keys/dnssec"; //Directory containing all DNSSEC
keys

//Zone statement
zone "" {
type master;
update-policy local;
file "db..signed";
auto-dnssec maintain;
allow-query { any; };
allow-transfer { xfers; };
};

--
View this message in context:
http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946p3948.html
Sent from the Bind-Users forum mailing list archive at Nabble.com.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

2017-06-14 Thread Tony Finch

Latitude  wrote:
>
> I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer
> can automatically sign zones and refresh signatures (RRSIGs), but older
> versions cannot (p. 53).

That isn't entirely correct: BIND has had automatic signing since 9.7
(if I remember correctly - it has been a long time). You just need to
set `auto-dnssec maintain;` and (for simple cases) `update-policy local;`.
See section 4.9.3 on page 26 of
https://ftp.isc.org/isc/bind9/9.8.2/doc/arm/Bv9ARM.pdf

Also see my blog about DNSSEC in BIND 9.8 from 6 years ago (thanks Red Hat
for keeping such ancient relics relevant for so long)
http://fanf.livejournal.com/112476.html

What was new in 9.9 was inline-signing mode. Shameless plug: you can get
something very like inline-signing mode for antediluvian versions of BIND
using my `nsdiff` program http://dotat.at/prog/nsdiff/

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Humber, Thames: East or southeast, veering southwest later, 4 or 5,
occasionally 6 later in Thames. Smooth or slight, occasionally moderate later
in Thames. Fair. Good.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Automatic RRSIG Refresh in BIND 9.8.2

2017-06-14 Thread Latitude

Due to customer requirements, I'm deploying BIND 9.8.2 on RHEL 6.8 and can
neither upgrade BIND to a newer version or upgrade to RHEL 7. I have
successfully configured a master and slave DNS server, DNSSEC, with
Transaction Signatures, and have performed a successful manual zone update,
incremented the serial number, resigned the zone, and completed a zone
transfer of a DNSSEC-signed zone file for which the master server is
authoritative. 

I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer
can automatically sign zones and refresh signatures (RRSIGs), but older
versions cannot (p. 53). Unfortunately, I have to use BIND 9.8.2. Manually
efreshing RRSIGs for all zones his is quite a task to refresh signatures if
the client requires RRSIGs to be renewed once per 7 days. Is it possible to
automatically refresh RRSIGs in BIND 9.8.2 by any means automatically?



--
View this message in context: 
http://bind-users-forum.2342410.n4.nabble.com/Automatic-RRSIG-Refresh-in-BIND-9-8-2-tp3946.html
Sent from the Bind-Users forum mailing list archive at Nabble.com.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Automatic RRSIG Refresh in BIND 9.8.2

Re: Automatic RRSIG Refresh in BIND 9.8.2

Re: Automatic RRSIG Refresh in BIND 9.8.2

Re: Automatic RRSIG Refresh in BIND 9.8.2

Re: Automatic RRSIG Refresh in BIND 9.8.2

Automatic RRSIG Refresh in BIND 9.8.2

6 matches

Site Navigation

Mail list logo

Footer information